\subsection{Overview}
\begin{frame}
    \frametitle{What is it?}
    \begin{itemize}
        \item IDAPython extends IDA with Python
        \item The whole IDC function set and the plugin API are available
        \item Python is an incredibly powerful scripting language
        \item The blend allows for extreme flexibility when writing custom analysis tools
        \item \emph{ida2sql}, for instance, was written using IDAPython and exports nearly the whole IDB to an SQL database for advanced and automated data-mining
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Resources}
    \begin{itemize}
        \item First introduced in the paper "Digital Genome Mapping - Advanced Binary Malware Analysis"
        \begin{block}{}
            \pedref{CarreraErdelyiVB04}
        \end{block}{}
        \item Available for download from:
        \begin{block}{}
            \begin{center}
                http://d-dome.net/idapython
            \end{center}
        \end{block}{}
        \item Good article on OpenRCE: "Introduction to IDAPython"
        \begin{block}{}
            \pedref{IDAPythonIntro}
        \end{block}
        \item ida2sql is available at:
        \begin{block}{}
            \begin{center}
                http://dkbza.org/ida2sql.html
            \end{center}
        \end{block}{}
    \end{itemize}
\end{frame}


\subsection{Examples}
\begin{frame}[fragile]
    \frametitle{Reading a string}
Reading and printing a string from the current cursor location:
    \begin{block}{}
        \begin{semiverbatim}
\uncover{ea = ScreenEA()}
\uncover{}
\uncover{s = ""}
\uncover{while True:}
\uncover{   b = Byte(ea)}
\uncover{   if b == 0:}
\uncover{       break}
\uncover{   s += chr(b)}
\uncover{   ea += 1}
\uncover{}
\uncover{print s}
        \end{semiverbatim}
    \end{block}
\end{frame}

\begin{frame}[fragile]
    \frametitle{XOR-ing a string}
    \begin{block}<1->{}
        \begin{semiverbatim}
\uncover{ea = ScreenEA()}
\uncover{}
\uncover{s = ""}
\uncover{while True:}
\uncover{   b = Byte(ea)}
\uncover{   if b == 0:}
\uncover{       break}
\uncover{   b = b^0xff}
\uncover{   PatchByte(ea, b)}
\uncover{   ea += 1}
\uncover{}
\uncover{print s}
        \end{semiverbatim}
    \end{block}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Enumerating Segments}
    \begin{block}<1->{}
        \begin{semiverbatim}
\uncover{for seg in Segments():}
\uncover{   print '%08x-%08x' % (seg, SegEnd(seg))}
        \end{semiverbatim}
    \end{block}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Enumerating Functions}
    \begin{block}<1->{}
        \begin{semiverbatim}
\uncover{for f in Functions(start\_addr, end\_addr):}
\uncover{   print '%s: %08x-%08x' % (Name(f), f, FindFuncEnd(f))}
        \end{semiverbatim}
    \end{block}
\end{frame}

\begin{frame}[fragile]
    \frametitle{Enumerating Heads}
    \begin{block}<1->{}
        \begin{semiverbatim}
\uncover{for h in Heads(ScreenEA(), ScreenEA()+100):}
\uncover{   print hex(h)}
        \end{semiverbatim}
    \end{block}
\end{frame}


\begin{frame}
    \frametitle{Collecting Function Chunks}
    \begin{itemize}
        \item     Some compilers generate optimized code containing features such as
            \pedbullet{Functions share basic blocks}
            \pedbullet{The layout of \emph{basic blocks} within the binary is affected by the likelihood of them being run}
        \item \emph{IDA} handles the resulting "fragmented" functions by collecting all the parts in chunks
        \item The functions \emph{func\_tail\_iterator\_t()}, \emph{func\_iter.main()}, \emph{func\_iter.chunk()}, \emph{func\_iter.next()} allow to retrieve them
    \end{itemize}
\end{frame}


\begin{frame}[fragile]
    \frametitle{Collecting Function Chunks (2)}
    \begin{block}<1->{}
    \begin{small}
        \begin{semiverbatim}
\uncover{ function_chunks = []}
\uncover{ #Get the tail iterator}
\uncover{ func_iter = idaapi.func_tail_iterator_t(idaapi.get_func(ea))}
\uncover{}
\uncover{ # While the iterator's status is valid}
\uncover{ status = func_iter.main()}
\uncover{ while status:}
\uncover{  # Get the chunk}
\uncover{  chunk = func_iter.chunk()}
\uncover{  # Store its start and ending address as a tuple}
\uncover{  function_chunks.append((chunk.startEA, chunk.endEA))}
\uncover{  # Get the last status}
\uncover{  status = func_iter.next()}
        \end{semiverbatim}
    \end{small}
    \end{block}
\end{frame}


\subsection{Exercises}
\begin{frame}
    \frametitle{Mydoom Backdoor DLL Extraction}
    \begin{itemize}
        \item Locate the DLL bytes in memory
        \item Locate the DLL decoder
        \item Write an IDA Python script to decode and save the DLL to disk
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Mydoom String De-obfuscation}
    \begin{itemize}
        \item Locate some obfuscated strings
        \item Determine the obfuscation method
        \item Write an IDA Python script to restore the original strings
    \end{itemize}
\end{frame}